I assumed that it was a targeted attack, and the attacker created the subdomains that look alike the real servers for each email that they send.. But I was totally wrong..

No matter what subdomain you use (or even without subdomain), and what ever file you request as long as the file extension is .EXE, the server will still going to response with HTTP/1.1 301 Moved Permanently and redirect you to the binary file.